mirkaCH/ssh-bruteforce-detection-ir-lab

# SSH Brute Force Detection & Incident Response Lab ## Overview This is a beginner-intermediate SOC-style detection and incident response lab focused on SSH brute-force activity. The lab uses a simulated Linux authentication log file and a Docker-based Linux environment for command-line investigation. The goal is to analyse SSH authentication logs, identify repeated failed login attempts, detect a successful login from the same suspicious IP address, extract indicators of compromise, map the activity to MITRE ATT&CK, and write basic incident response recommendations. ## Category SOC / Blue Team / Log Analysis / Incident Response ## Difficulty Beginner-Intermediate ## Scenario A Linux server has generated suspicious SSH authentication activity. Multiple failed login attempts were observed against several user accounts. Shortly after the failed attempts, a successful login occurred from the same external IP address. Your task is to investigate the logs, identify the attacker IP address, determine which account was successfully accessed, review post-login activity, and document the incident. ## Objectives - Analyse SSH authentication logs - Identify repeated failed login attempts - Identify the suspicious source IP address - Identify targeted usernames - Identify successful login after failed attempts - Identify suspicious post-login activity - Extract indicators of compromise - Count failed login attempts - Map the activity to MITRE ATT&CK - Write detection logic and incident response recommendations ## Tools Used - Docker - Ubuntu Linux container - PowerShell - Linux command line - `cat` - `grep` - `wc` - `sort` - GitHub ## Project Files - `auth.log` - simulated SSH authentication log file - `Dockerfile` - builds the Linux investigation environment - `detection-logic.md` - documents detection logic for brute-force activity - `incident-report.md` - contains a SOC-style incident report - `solution.md` - contains the challenge solution and evidence - `01-docker-auth-log-analysis.png` - screenshot showing the lab running in Docker - `02-bruteforce-detection-evidence.png` - screenshot showing detection evidence ## How to Run Build the Docker image: docker build -t ssh-bruteforce-detection-ir-lab .